STIGQter STIGQter: STIG Summary: Voice/Video over Internet Protocol (VVoIP) STIG

Version: 3

Release: 14 Benchmark Date: 26 Apr 2019

CheckedNameTitle
SV-21495r3_ruleUnified messaging and email text-to-speech features must be disabled because there is no PKI authentication and no access control to email.
SV-21766r2_rulePC presentation or application sharing capabilities are not properly limited.
SV-21769r2_ruleVVoIP component(s) are NOT addressed using the defined dedicated VVoIP system addresses
SV-21770r3_ruleVVoIP core components must use DHCP static allocation (reservations) or be statically addressed.
SV-21771r4_ruleVVoIP endpoints must receive IP address assignment and configuration information from a DHCP server with a dedicated scope to the VVoIP system.
SV-21772r2_ruleA VVoIP core system/device or a traditional TDM based telecom switch is acting as a network router in that it does not block traffic between its attached management network interfaces(s) (one or more; logical or physical) and/or its production network interface(s) (logical or physical).
SV-21773r3_ruleLogical or physical interfaces must be configured on the VVoIP core routing devices for the VVoIP core equipment to support access and traffic control for the VVoIP system components.
SV-21775r2_ruleVLANs established for the VVoIP system are NOT pruned from trunks and/or interfaces that are not required to carry the VVoIP traffic
SV-21776r3_ruleA deny-by-default ACL for VVoIP endpoint VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.
SV-21777r3_ruleA deny-by-default ACL for all VVoIP endpoint VLAN interfaces must be implemented on VVoIP non-core routing devices as defined in the VVoIP system ACL design.
SV-21778r3_ruleA deny-by-default ACL for session manager VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.
SV-21779r3_ruleA deny-by-default ACL for media gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.
SV-21780r3_ruleA deny-by-default ACL for signaling gateway VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.
SV-21781r3_ruleA deny-by-default ACL for session border VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.
SV-21783r3_ruleA deny-by-default ACL for voicemail and unified messaging servers VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design.
SV-21784r3_ruleA deny-by-default ACL for unified communications server VLAN interfaces must be implemented on core routing devices as defined in the VVoIP system ACL design.
SV-21785r3_ruleA deny-by-default ACL for system management VLAN interfaces must be implemented on VVoIP core routing devices as defined in the VVoIP system ACL design.
SV-21786r2_ruleThe implementation of Unified Mail services degrades the separation between the voice and data protection zones (VLANs).
SV-21787r2_ruleThe LAN Access switch port is NOT configured to place the VVoIP or VTC traffic in the proper VLAN (e.g., the port is NOT assigned to the proper VLAN) or the port does not assign the appropriate VLAN tag via some other method.
SV-21788r2_ruleThe LAN access switch (discrete NE or module in a larger NE) is NOT capable of, or is NOT configured to; maintain the required VLAN separation for traffic originating from supported endpoints and DOES NOT route voice, VTC, PC communications client, and data traffic to their respective VLANs on the LAN.
SV-21789r2_ruleLAN access switchports supporting VVoIP or VTC endpoints containing a PC port are configured in trunk mode, NOT in access mode or “802.1Q tagged access mode.”
SV-21790r2_ruleLAN access switchport supporting a VVoIP or VTC endpoint that does not, or is not configured to, apply 802.1Q VLAN tags to its traffic is NOT statically assigned to the appropriate local VVoIP or VTC VLAN.
SV-21791r2_ruleA LAN access switchport supports a VVoIP or VTC endpoint containing a PC port but is not configured with a default “data” VLAN to handle untagged PC port traffic and assign a secondary VVoIP or VTC VLAN to handle the tagged VVoIP or VTC traffic.
SV-21802r5_ruleThe data network boundary must block all traffic destined to or sourced from VVoIP VLAN IP address space and VLANs except specifically permitted media and signaling traffic.
SV-21803r4_ruleThe Customer Edge Router (CE-R) must expedite forwarding of VVoIP packets based on Differential Service Code Point (DSCP) packet marking.
SV-21804r4_ruleThe Customer Edge Router (CE-R) must route all inbound traffic to the data firewall function except SIP, AS-SIP, and SRTP/SRTCP, which must route to the Session Border Controller (SBC).
SV-21805r4_ruleThe Customer Edge Router (CE-R) must filter inbound AS-SIP-TLS traffic addressed to the local Session Border Controller (SBC) based on the source address of the signaling messages.
SV-21806r3_ruleThe Session Border Controller (SBC) must filter inbound SIP and AS-SIP traffic based on the IP addresses of the internal Enterprise Session Controller (ESC), Local Session Controller (LSC), or Multi-Function Soft Switch (MFSS).
SV-21807r3_ruleThe Session Border Controller (SBC) must be configured to terminate and decrypt inbound and outbound SIP and AS-SIP sessions to ensure proper management for the transition of the SRTP/SRTCP streams.
SV-21808r3_ruleThe Session Border Controller (SBC) must be configured to only process packets authenticated from an authorized source within the DISN IPVS network.
SV-21809r3_ruleThe Session Border Controller (SBC) must be configured to only process signaling packets whose integrity is validated.
SV-21810r3_ruleThe Session Border Controller (SBC) must be configured to validate the structure and validity of SIP and AS-SIP messages, such that malformed messages or messages containing errors are dropped before action is taken on the contents.
SV-21811r3_ruleThe Session Border Controller (SBC) must drop all SIP and AS-SIP packets except those secured with TLS.
SV-21812r3_ruleThe Session Border Controller (SBC) must be configured to manage IP port pinholes for the SRTP/SRTCP bearer streams based on the information in the SIP and AS-SIP messages.
SV-21814r4_ruleThe Session Border Controller (SBC) must perform stateful inspection and packet authentication for all VVoIP traffic (inbound and outbound), and deny all other packets.
SV-21815r4_ruleThe Session Border Controller (SBC) must deny all packets traversing the enclave boundary (inbound or outbound) through the IP port pinholes opened for VVoIP sessions, except RTP/RTCP, SRTP/SRTCP, or other protocol/flow established by signaling messages.
SV-21816r3_ruleThe Session Border Controller (SBC) must be configured to notify system administrators and ISSO when attempts to cause a denial-of-service (DoS) or other suspicious events are detected.
SV-21817r2_ruleThe VVoIP system connects with a DISN IPVS (NPRNET or SIPRNet) but the LSC(s) is not configured to signal with a backup MFSS (or SS) in the event the primary cannot be reached.
SV-21818r2_ruleThe MFSS is NOT configured to synchronize minimally with a paired MFSS and/or others such that each may serve as a backup for the other when signaling with its assigned LSCs, thus reducing the reliability and survivability of the DISN IPVS network.
SV-23729r3_ruleNetwork elements configuration supporting VoIP services must provide redundancy supporting command and control (C2) assured services and Fire and Emergency Services (FES) communications.
SV-23730r3_ruleNetwork elements configuration supporting VoIP services must interconnect redundant uplinks following physically diverse paths to physically diverse network elements in the layer above with support for the full bandwidth handled by the network element using routing protocols facilitating failover.
SV-23732r3_ruleThe extension mobility feature must only be enabled per user when specific security features are configured.
SV-95685r2_ruleThe extension mobility feature must be globally disabled.